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Abstract. We propose an approach on model checking information flow 
for imperative language with procedures. We characterize our model with 
pushdown system, which has a stack of unbounded length that naturally 
models the execution of procedural programs. Because the type-based 
static analysis is sometimes too conservative and rejects safe program 
as ill-typed, we take a semantic-based approach by self-composing sym- 
bolic pushdown system and specifying noninterference with LTL for- 
mula. Then we verify this LTL-expressed property via model checker 
Moped. Except for overcoming the conservative characteristic of type- 
based approach, our motivation also includes the insufficient state of arts 
on precise information flow analysis under inter-procedural setting. To 
remedy the inefficiency of model checking compared with type system, 
we propose both compact form and contracted form of self-composition. 
According to our experimental results, they can greatly increase the ef- 
ficiency of realistic verification. Our method provides flexibility on sepa- 
rating program abstraction from noninterference verification, thus could 
be expected to use on different programming languages. 



1 Introduction 

Noninterference is a standard criterion to formalize secure information flow. This 
property was first introduced by Goguen and Meseguer[l] for multi- level com- 
puting system and applied to programming language via semantic model. It 
commonly means any two runs of program starting in two indistinguishable 
states yield two indistinguishable final states. That is to say, for any pair of runs 
the difference on secret input are unobservable via public output. 

Typical information flow analyses are studied using security type system 
[2] [3] [4] [5] [6] . These type systems guarantee well- typed programs do not leak 
any secret information. But these type-based approaches are considered overly 
conservative and sometimes reject safe programs, such as I := h ■ 0. Take the 
following program as another example, 
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if (1) y: = h; else skip; 
if (!1) x: = y; else skip; 



Suppose I and x are low, while h and y are high, standard type system[2] rejects 
this program over-restrictively by reporting a flow from h to x. 

To remedy this problem, semantic-based approaches [7] [8] are developed, es- 
pecially a recent popular approach, self-composition [9] [10], which composes the 
original program with a variable-renamed copy to avoid considering correlative 
executions as pair. Model checking is an important method to verify properties of 
semantic-based program model. It is well-known as fully- automated and mature 
tool-supported. Though argued against the high complexity, model checking has 
been used to check noninterference, combined with abstract interpretation [11], 
self-composition[10][12], and type-based approach[12]. 

Lots of existing work get into the spectrum of discussing noninterference over 
more complex program constructs. Procedure is considered as a common feature 
of realistic imperative languages. In some applications we need to verify code 
from different sources together. Also there may be context-sensitive procedure 
calls in program. Noninterference verification of these programs involves inter- 
procedural information flow. Consider the program below 



after f unc returns, the high variable h has indirectly passed to the low variable 
I. Suppose the global variables are only observable after func returns, inter- 
procedural analysis is required. Volpano and Smith [3] has developed a non- 
standard type system to check information flow of an imperative language with 
procedures. But for the more precise approaches[12][10][ll], procedure is not 
considered. 

Some work treats information flow with program logic in procedural setting. 
Bcringer et al.[13] adapt type-based approach to Hoare-like logic and introduce 
an auxiliary binary formulae to encode noninterference according to the princi- 
ple of self-composition. Their procedure model is only restricted to parameterless 
form. Amtoft et al.[14] propose a Hoare-like logic to analyze inter-procedural in- 
formation flow with independence assertion for object-oriented language. Method 
call in object-oriented language introduces additional impreciseness because of 
pointer aliasing on concrete location. Their procedure form is different from pro- 
cedure of imperative languages and the memory model is much more complex. 

Hammer et al.[15] investigate an approach for information flow control based 
on a well-known program slicing technique, program dependence graph (PDG). 
Inter-procedural information flow control can be achieved by computing sum- 
mary graph and constructing system dependence graph (SDG). They introduce 
path condition[16][17] to improve the preciseness. Since PDG has been applied 



int h , 1 ; 



void func (int a, int &b) { 



func (h , 1 ) ; 



int c : = ; 

while (a>0) { C++; a — 
b: = c ; 



} 



} 



to handle realistic programs in C and Java, their approach seems quite general. 
But in their approach impreciseness comes from the construction of PDGs/S- 
DGs. Programs should be translated into static single form (SSA) and the size 
of path condition should be reduced. This method is also much more expensive 
than type-based approaches and conservative because we cannot exclude safe 
program if some PC(y,x)=true. 

The relative insufficient study on inter-procedural information flow in state 
of arts motivates us to propose a general inter-procedural framework for more 
precise information flow analyses than the type-based approaches. Our model 
is based on symbolic pushdown system[18]. A pushdown system is a transition 
system with a stack of unbounded length in states. This unbounded stack pro- 
vides a natural way to model the execution of program with procedure. The 
state of pushdown system includes control locations and stack symbols. Control 
locations are used to store global variables. Stack symbols contain both control 
points and local variables of procedure. This semantic model has been proved 
sound to our language and can be directly expressed as the input of model 
checker Moped[19]. 

The verification process consists of the following phases. First a symbolic 
pushdown system is derived from core-language program. Then we self-compose 
the derived symbolic pushdown system and express noninterference with LTL 
formula as the inputs of Moped. Verification is then performed by Moped. If 
noninterference is violated by the program model, we can get a single coun- 
terexample. This witness trace can help us find out which high variable causes 
the insecure information flow, thus be useful for secure program development. 
We have experimentally proved that our method is more precise than ordinary 
type-based analysis on inter-procedural information flow. Considering the rela- 
tive high complexity of model checking, we have developed two derived forms of 
ordinary self-composition, called compact self-composition and contracted self- 
composition. The experiments indicate great efficiency improvement with these 
derived forms compared with ordinary self-composition. Another advantage of 
our approach is the flexibility unveiled by self-composing symbolic pushdown 
system instead of high-level language. Unlike other work did self-composition 
directly on high-level languages[I2][I0], our approach separates the possible ab- 
stractions of high-level languages from noninterference verification. Although we 
use a simple imperative language with procedure for simplicity, we believe it 
possible to apply our approach to different high-level programming languages 
by abstracting them into pushdown systems. 

The rest of our paper is structured as follows. Section 2 sketches the simple 
imperative language and presents symbolic pushdown system derivation. Sec- 
tion 3 proposes the algorithms of both ordinary form and derived forms of self- 
composition for composing pushdown system, and introduces how to specify 
noninterference with LTL. We report our experiments in Section 4 and possible 
discussions in Section 5. 



v : := c I true | false (value) 

c : := x | v | 1 | ei o e2 | proc(in xi, out X2)S (expression) 
S : := skip | e := e' | if e then Si else S2 | while e do S | Si; S2 

I letvar x := e in S | e(ei,e2) (statement) 

Fig. 1. Language Syntax 
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, - ; ; 1' £ dom(p) and 1' £ dom(A) (CALL) 



Fig. 2. Induction Rules 



2 Program Modeling 

2.1 Language Syntax and Semantics 

The syntax of our core language with first-order procedure is given in Fig. 1. I is 
memory location. The in parameter is local while the out parameter represents 
reference to global variable. The big-step operational semantics are presented in 
Fig. 2. a, A C L x V are heap and stack respectively, where L is the domain of 
memory location and V is the domain of value, dom(fx) ndom(X) = 0. A t±J [I := v] 
extends A with a new I assigned with v. BINDVAR stores v to new location I 
of A and refers each free occurrence of x in S to I. Therefore the scope of x 
is S, and I is deallocated after the execution of S. We assume all substitutions 
capture-avoiding and procedure main non-recursive. 



2.2 Pushdown System 

Definition 1 (Pushdown System). A pushdown system is a triple V = 
(P,r,A). P is a finite set of control location, r is stack alphabet, and A C 
(P x r) x (P x r*) is a finite set of pushdown rules. The pushdown rule 
has a form of (p, 7) (p',w) to represent the relation ((p, 7), (p', w)), where 
p,p' G P, 7 G r,w G r* . A configuration of V is a pair (p,w), where p G P 
and w E r* . w stands for a snapshot of stack content. Suppose the config- 
uration set of V is denoted by Conf(V). We have a transition relation -^>C 



Conf{V) x Conf(V) defined by the set of pushdown rules A as follows: If 
(p,7) (p',w), then {p,jw') -» (p',ww') for all w' G T* . Let cq be the ini- 
tial configuration. We have a transition system corresponding to the pushdown 
system as X-p = (Conf(V),^»,Co). 

Each pushdown rule gives a pattern of program execution step. Without loss 
of generality, we assume w | < 2 in that any pushdown system can be put into 
a normal form(| w |< 2) with linear size increase[18]. 

Definition 2 (Symbolic Pushdown System). A symbolic pushdown system 
is a pushdown system with form (Pq x G, Jo x L, A, Co). Po is the set of symbolic 
control locations, and Jo is stack alphabet. G and L are respectively the domain 
of the control locations and stack symbols. The pushdown rules have a form 
((P,9)(l, 1 )) ^ ((p',g'),(-n,h),---,(ln,ln)), where p,p' G Pq, 7, 71, . . . , 7„ G 
Jo • The corresponding symbolic form separates the symbolic part from a relation 
of valuations: 

(p,j) =— > (p',7i,...,7„) (g,l,g',h,...,l n ) G R 
where R C (G x L) x (G x i") is a relation. Here we can also generally suppose 
n ^ 2. A is the set of symbolic pushdown rules. Co = ({po} x G) x ({?yo} x L) is 
the set of initial configurations. 

The global variables are encoded into control locations and the local variables 
are encoded into the stack alphabet. Since we specify the control points of each 
procedure with stack symbols, and the global and local variables are considered 
as their value in R, Pq x G can be simplified to G and the symbolic pushdown 
rule is of form (7) ^ (71, . . . ,7„), {g,l,g',h, . . .,l n ) G R. 



2.3 Pushdown Rules Derivation 

Suppose local variable x of procedure p is uniquely denoted by (p, x) G P x Q, 
where P is the domain of procedure tag and Q is the domain of local variable 
name. Fig. 3 gives static analysis F to get the unified local variable set 9 CPxQ. 
Partial function 77 : P — >• 2 Q , r/(p) = {x | (p,x) G 8}, derives all local variables of 
a procedure. Let N = {n ; | i G N} be a pool of control points from which we 
get unique control point during pushdown rule derivation. In order to derive 
pushdown rules for program, we define $(S, ni, nj, p, R) in Fig. 4. and nj 
are respectively the entry and exit control point of S. p = dom(^i). J? is a 
set collecting information about variable variation and variable evaluation in 



F(Si; S 2 , p) = F(Si, p) U F(S 2 , p) F(letvar x := e in S, p) = F(S,p) U {(p, x» 

F(while e do S,p) = F(S,p) F(if e then Si else S 2 ,p) = F(Si, p) U F(S 2 , p) 

F((proc(in xi, out x 2 )S)(e, 1), p) = {{p', xi}} U F([l/x 2 ]S, p'), p' is the tag of proc 



Fig. 3. Unifying Local Variables 



^(skip.iii.nj.p.R) = {((p i )(n i ,7 ?i (p))> ((p i )(n j , }?i (p))) | R} (P-SKIP) 
$(x := e,n i; n j; p,R) = {<( Pi )(ni, r?i(p))> ((ft) fa, r?j (p))> | R'} (P-UPDATE) 
R' = R U {pj [x] = e} A ft = ft[x : = e] A J?j(p) = f?i(p), if x G p 

R' = RU{?7j(p)[x] = o} A ft = pi A r?j(p) = ??i(p)[x := e], if x G ^(p) 

$(Si;S 2 ,ni,nj,p,R) = $(Si, m, n k , p, R) U $(S 2 , n k , m, p, R) (P-SEQ) 
$(if ethen Si else S 2 , m, nj, p, R) = {(( P i)(ni, ^(p))) ((pi)(n k , ^(p))) j RU{e}} 

U{<(p i )(n i ,^(p))> {(p i )(n 1 ,^(p))> | Ru{!e}} 
U$(Si, n k , m, p, R U {c}) U $(S 2 , ni, m, p, R U {!e}) 

(P-BRANCH) 

$(while e do S.m.nj.p.R) = {<(pi)(n ; , »*(p))) {( Pi )(n h *n(p))> | RU {!c}}U 

{((Pi)(iii,»»(p))) ((pi)(n q ,r7i(p))) | RU{c}}U$(S,n q ,ni,p,Ru{e}) (P-LOOP) 
$(letvar x := e in S, ru, iij, p, R) = 

{((p i )(n i ,r? i (p))> ^ <(p i )(n k ,? 7i (p)[x := e])> | R U {j/k(p)[x] = e}} U <E-(S, n k , m, p, R) 

(P-BINDVAR) 

$((proc(in xi, out x 2 )S)(e, 1), nj, nj,p, R) = 

{((Pi)(ni,»ji(p))) ^ ((p i )(n k ,r, k (p')[x 1 := e])(m, ^(p))) | R U {»fc(p')[xi] = e}} 
U$([l/x 2 ]S, n k , n q , p', 0) U {((p q )(n q , »j,(p'))> ^ ((PiM) I R}, p' is the tag of proc 

(P-PROC) 

Fig. 4. Derivation Rules for Pushdown System 



{(m) <-> (n 3 , n 2 ) | {h' = h, 1' = 1, xi = h, c' = c}}U {(n 4 > (e) | {h' = h, 1' = 1}}U 

{(n 3 ) <n 5 ) | {h' = h,l' = l,xi = xi, c 1 = 0}}U 

{(n 6 ) (n 7 ) | {xi > 0,h' = h,l' =l,xi =xi,c' =c}}U 

{{n 7 > ^ (ng) | {xi > 0, h' = h, 1' = 1, xi = xi, c' = c + 1}}U 

{(n 8 ) ^ (n 5 ) j {xi > 0, h' = h, 1' = 1, xi = xi - 1, c' = c}}U 

{{n 5 > ^ (n 6 ) | {xi < 0,h' = h,l' =l,xi =xi,c' =c}}U 

{(n 6 ) <-> (n 4 ) | {h' =h,l' = c,xi =xi,c' = c}}U {(n 2 ) (e) | {h' = h,l' = 1}} 
Fig. 5. Symbolic Pushdown Rules 



statement transition for each pushdown rule. We extend R in P-BRANCH and 
P-LOOP to record the precondition of control flow. R is initialized with 0. e 
denotes the empty stack symbol. 

In order to translate the derived pushdown rules into symbolic form, we 
suppose the control point as explicit stack symbol. We prime left-side variables 
of evaluation relations in R. Then we prime the post-transition global variables 
and local variables in top stack symbol, also double-prime the post-transition 
local variables in bottom stack symbol. For the variable holding its value during 
transition, extend R with an equivalence relation of that variable. Then we derive 
the symbolic form {(n s ) ^ ((^tj • • ■ {nt k )) \ R}, (k — 0, 1,2). Fig. 5 gives the 
symbolic pushdown rules of the example calling procedure f unc in Section 1. 

The derived symbolic pushdown system is sound on enforcing noninterference 
for the core language programs as shown in the following theorem. Let p = (p, 9) 
be the state of V. fPj\i means an execution of V with initial state p. It returns 
a final state p' or _L if it does not terminate. 



Theorem 1 (Soundness). Suppose V = (P,T,A) is the pushdown system of 
statement S. A is derived by <P(S,ni,n,j,pk,®)- Vpo, #o> MO) Ao, [^((poi ^o}) = 
(p', 9'), (po, ^o, S) 4 (//, A'). We have procedure pk on the top of procedure stack 
of Ao and A'. Suppose VI G dom(p), po(Q = PoK, and VI G dom(Xo) corresponds 
to variable x of pk, Ao(Z) = »7o(pfc)[ a; ]> we /icwe 

VZ G dom(p), /i'(Z) = p'[Z] ; and VI G dom(X'), if I corresponds to variable x of 
Pfe,A'(Z) = »?'(pfe)[a;]. 

Proof: (See Appendix for details). 

3 Noninterference Property Specification 

In order to specify noninterference, we suppose the adversary can observe whether 
program terminates. Then noninterference can be classified into termination- 
sensitive(TS) and termination-inscnsitive(TI). TS requires the correlative pair- 
ing executions of program both terminate or both unterminate. TI only judges 
the low-equivalence of final states when both executions terminate, and does not 
get violated if either execution unterminates. Let L C \i be the public variables of 
program. We define low-equivalent relation =£ as Vx G p, if x G L, pi[x] = P2[x], 
and V(p,y) G 8, if (p,y) G L, rji(p)[y] = f? 2 (p)[y]- Then TS and TI are formally 
defined as follow. 

Definition 3 (TS). A pushdown system V has a property of TS if it satisfies 
Vui, yi 2 , m = L u 2 A = yi[ => 3yi' 2 , {V\\i 2 = ^ A ^ =l h' 2 - 

Definition 4 (TI). ^4 pushdown system V has a property of TI if it satisfies 

Vm, us, m = L u 2 a [p]m = ^ =*► p>Ju 2 = jl v (3^, fpj^ = ^ a ^ = L u' 2 )- 

TI can be simplified by restricting the precondition: 

Definition 5 (TI'). 4 pushdown system V has a property of TI if it satisfies 

Vm, u 2; m = L u 2 a [p]m = ^ a [p]^ 2 = ^ =► ^ = L u' 2 . 

For simplicity, we only consider TI in the following. The LTL property w.r.t TS 
can be derived similarly by method in [9] . 

3.1 Ordinary Self-Composition 

The primary motivation of self-composition is to model two correlative runs of 
program with indistinguishable inputs as a single run of composed program, 
which greatly benefits the algorithmic verification techniques, such as model 
checking, on the property expressing via temporal logics. 

Suppose V\ and Vi are pushdown systems. (x^ are states of V\, and |x 2 , 
are states of V 2 - Let u_i n u. 2 — (pi (1 p 2 ) U (6\ fl 2 ). © is disjoint union of 
memory. If (Xi fl (x 2 = 0, we define disjoint composition operation > of V\ and 
Vi as 

[PiKn-i ©n) = (M-i © M-) for some u, and [P 2 ](m.' © p. 2 ) = (y! © ^i 2 ) for some \i! , 
iff [Pi > V 2 ]{\H © jxa) = (Mi © 



Suppose [i = (p, 9) be the state of V. The state of V[£] is derived by renaming 
the variables of V by function £ : [i — > ({x* \ x e p}, {(p, y*) \ (p, y) e 9}), such 
that Vx E p,£(x) = x* and V{p,y) £ 0,£({p,y}) = ip,V*)- The ordinary self- 
composition is defined based on disjoint composition and variable renaming, 
and the corresponding TI is defined as: 

Definition 6 (TI, ordinary self-composition). V has a property of TI iff 

m = L fcA[p> P[£]](m e = K © A) \i[ = L v4 

where are sfaies ofV, and (J-2, M-2 are s ^ es o/"P[£]. 

The corresponding self-composing algorithm on pushdown system to derive 

V \> V[£,] is proposed as follow. 

1. Derive P[£] by substituting variables of V with the corresponding renamed 
variables defined by £, and substituting each control point n, of V with n*. 

2. Merge the pushdown rules of V and 

3. Modify the last pushdown rule of V from (n/j no j) =— > (e) to (nf ina i) (ra* nit ), 
and for the totalness of composed pushdown system, modify the last push- 
down rule of V[£] from (n} iW ) (e) to (n* fmal ) (n* final ). Algorithm 1 is 
used to find the last transition of original pushdown system. 

4. For each rule of V, Vx* G p 2 , add a;*' = x* to _R. For each (m) ^ (n,) of 
V(p,J/*> G 2 , add ?7(p)[y*]' = ??(p)[j/*] to fl. For each (n fe ,n.,} of V, 
V( P ,y*) e 9 2 , add v(p)[y*]" = »7(p)[y*] to J2. 

5. For each rule of V[£\, Vx € pi, add x' = x to i?. For each (n*) M> (n*) of P[£], 
V(p,y> e U add 7?(p)[j/]' = v(p)[y] to i?. For each (n*) ^ (n* k ,n*) of V[£\, 
V(p 7 y) £ 9i, add 77(p)[y]" = V (p)[y] to i?. 

6. V(p,i/) G 0i, add T?(p)iy]' = ??(p)[y] to i? of ^ (n* mt ). 

Then TI can be expressed by linear temporal logic and verified on this composed 
pushdown system by model checking. V has a property of TI if and only if 

V t> V[£] satisfies (m = L u 2 ) =► G(n} iW => (m = L u 2 )). 



Algorithm 1: LastTransitionFinding 

toVisit :— startConf{p,~fo}-Jo; visited := 0; 
while toVisit ^ do 

cw := toVisit. head; toVisit := toVisit \ {cur}; 
forall the t £ trans / do 

if t.expr — (p,cur) <-¥ (p,7',7") A -^find(j" , visited) then 

| toVisit := toVisit U {7"}; 
if t.expr = (p,cur) <— >• (p, 7'} A -^find(j' , visited) then 

[ toVisit := toVisit U {7'}; 
if t.expr = (p, cur) <-> (p, e) then 
I return i; 

end 

visited := visited U {cur}; 
end 



3.2 Compact Self-Composition 

Since our approach is based on symbolic model checking, the variable count has 
great impact on the size of binary decision diagram (BDD) and performance 
of model checker. The increase in variable count after ordinary self-composition 
seriously decreases the efficiency of model checking. This motivates us to find 
new self-composing methods in inter-procedural settings. The compact form of 
self-composition relics on the following two assumptions 

— All the variables observable by the adversary are global. That means to treat 
the procedure with observation point in it as main procedure. 

— All local variables are initialized before being used in procedure, and vanish 
while procedure returns, thus are considered as high. 

Let |ii ®i |i 2 = Hi 8 P2 = (pi, 0i ) © pi, and |Xi ® r |i 2 = Pi © 1^2 = Pi © (p2, 2 ). 
Suppose (Bp is the disjoint union of global variables, we have compact disjoint 
composition > p of V\ and V2, where [PiKfii ©z (i) = (|i'i © |i) for some |i, and 
IV2W ©r jxa) = © ^) for some li', iff [Pi > p P 2 j(^ © p li 2 ) = © p 

Definition 7 (TI, compact self-composition). V has a property of TI iff 
Pi =l P2 A \V Op V[£]](\li ffip jia) = W ©p H 2 ) =>• p[ =l p' 2 

The self-composing algorithm w.r.t compact form is derived by modifying 
step 4 to step 6 of the algorithm in Section 3.1 to the following strategies 
4'. For each rule of V, Vx* G p 2l add x*' = x* to R. 
5'. For each rule of V[£\, Vx G pi, add x' = x to R. 

A unified algorithm of ordinary and compact forms of self-composition is 
illustrated by Algorithm 2. Suppose V.lvars : CP i-» 2® be a mapping from the 
set of control points to a set of local variables related to certain procedure. Also 
suppose procedure tag pi is represented by the set of control points arrived during 
execution of this procedure. Then we have V.lvars(j) — {x\-f £ p i} {pi,x) 6 8}. 

3.3 Contracted Self-Composition 

According to the assumptions given in Section 3.2, we know that noninterference 
property at certain observation point of program does not really care the value of 
local variables in the callee procedures. By the algorithm of Section 3.2, we have 
reduced the length of R accompanying pushdown rules. But what if we want to 
reduce the states of composed program? Since the adversary can only observe 
the global variables of main procedure, we can avoid duplicating memory of 
local variables by making the composed part of main procedure call the original 
callee, instead of the composed callee, as original part of main procedure does. 
This form of self-composition additionally relies on the following assumption: 

— Global variable can not be used in callee procedure unless it is passed as 
parameter of callee procedure. 

With the contracted form of self-composition, we do not compose callee proce- 
dures. Therefore we could not express the direct effect of newly defined global 
variables on local variables of callee procedures. The state of V[£,'] is derived 
by C : (p,0) ->■ ({x* I x e p},6) such that Vx e p,£'(x) = x* and V(p,j/> G 
0)£'((P>2/)) — (p>y)- We have TI w.r.t a contracted form. 



Algorithm 2: Ordinary and Compact Self Composition 



Data: V , scjmode 
Result: V > 
begin 

forall the x € V.gvars do 

i 'P[£].<?uars := P^.gvars U {£(2:)}; 
end 

(P > V[£]).gvars := V.gvars U 'P[£].pt>ars; 
forall the 7 G CP do 

! forall the x £ V.lvars(-y) do P^/vars^t) := P[£] .lvars(jt) U {£(2)}; 
end 

V[Q.startConf := (V .startConf.p, Append(P.startConf.~(, 't')); 
(V > V[£\).startConf := P.startConf; 
forall the t £ V ■ trans do 

if t.expr — {p, 7) «-4 {p,j'"/") then 
if scjmode = ordinary then 

P[£].trans := P^.trons U {(p,7i) ^ (p,7'i,7"t)| 

(t.rel) x A /\ Xi eV.gvars( X i = A A Xi eV.lvars(-,)( X i = X i)}\ 

t.rel := i.reZ A /\ x . £P ^]. gvar3 (Xi = x t ) A A^g-p^.i^rs^t)^ = 

if scjmode — compact then 

V[£].trans := V[£\.trans U {(p,jt) ^ (p,7'i,7"t)| 
(t.re/)^ 5 A A eT , (a;' =Xi)}; 
t.rd := i.re£ A A^e^Kl-a"*™^ = 

else if t.expr = (p, 7} ^ (p, 7') then 
if scjmode = ordinary then 

Pg] .trans := P^.trons U {(p,7i) ^ (p,7't)| 

(t.rel) x /\/\ x . e -p gvarsU -p [vars ^(Xi = Xi)}; 

t.rel := t.rel A A Xi eVli].gvarsUV[£].lvars(yt)( X i = ^Oi 

if scjmode — compact then 

.trans := V[£,].trans U {(p,7t) ^ (p,7't>| 

(t.rel) i(x) A A ex. (»i =*i)l; 

V / x / \xi£V .gvars^ * */J ' 

t.re/ := t.rel A A !Ci e7'[£]. s «<w S ( a; i = x &, 

else /* t.expr — (p, 7) <-» (p, e) */ 

if t = LastTransitionFinding(V) then 

V[£].trans := V[£].trans U {(p,7t) ^> (p,7i)| 

(t.rel)^ AA cp (a^ = £;)}; 

if scjmode = ordinary then 

V. trans := (V .trans \ {t}) U {(p,7) ^ P[f].stortCon/| 

(t.rel) A A Iie -p.; t ,ars(7)UP[e]. 9 DarsU-PK].itiars(7t)( a; i = X 0}i 

if scjmode — compact then 

V. trans := (V. trans \ {*}) U {(p,7) ^ ?>[£]. startCon/| 
(t.re/) A A^ePKi-s^s^i = 

else /* last transition of other procedures except main */ 

[|] .irons := P^]. irons U {(p,7t) ^ (p,e)| 

(t.rel) AA IjeP ,„ or Jxi=x,)}; 
i.re/ := t.rel A A^ e p K ]. 9 „ar>* = x &> 
end 
end 
end 

(P > V[£]).trans := V. trans U V[£,].trans; 
if scjmode = ordinary then 

forall the x 6 V.lvars^) do 

V.lvars^) := V.lvars(~() U {£(2:)}; 
P[£]ivors(7t) := P[f].it>ars(7*) U {x}; 
end 



Definition 8 (TI, contracted self-composition). V has a property of TI iff 
pi = L P2 a \v > p P[e']](m ®p = (K ©p ^) Pl =L P' 2 

The related self-composing algorithm distinguishes pushdown rules of main pro- 
cedure from pushdown rules of callee procedures. 

1. Derive V[£'] by substituting variables of V with renamed variables defined 
by For pushdown rules of main procedure, substitute each (nf) <—} (rij) 
with (n*) (n*), (n,> ^ (e) with (n*) (e), and (rij) > (n k ,nj) with 

2. Merge V{^'\ and 7-*, taking duplicated pushdown rules only once. 

3. Same as step 3 in Section 3.1. 

4. Same as step 4' and 5' in Section 3.2. 

The corresponding LTL-expressed TI for compact self-composition and con- 
tracted self-composition is (pi =l p<i) => final ^ (P 1 =L /° 2 ))- ^ 
be the set of global variables used as the store of return value of the callee pro- 
cedures. The algorithm is described in detail by Algorithm 3. Our experiments 
in Section 4 illustrate the improvement on efficiency brought by these derived 
forms of self-composition. 

4 Experiments 

The main purpose of our experiments is to reveal that the derived forms of self- 
composition, compared with the ordinary form, can really improve the efficiency 
of verification. Also we make clear how we could benefit from the procedural 
settings and model checking. 

We have implemented all three forms of self-composition for symbolic push- 
down system. This is a static transformation before the pushdown system parsing 
phase. Self-composed pushdown system is generated and related Moped options 
are set. We add command-line options to Moped version 1. We also implicitly 
require the derived variables and control points in composed program tagged by 
postfix -t, especially the final control point named as -final. With this assump- 
tion, user can express TI/TS noninterference by LTL from the original symbolic 
pushdown system instead of the one after self-composition. All experiments were 
performed on a laptop with 1.66 GHz Intel Core 2 CPU and 1 GB RAM run- 
ning Linux Fedora Core 6. The BDD library used by Moped is CUDD 2.3.1. 
Experimental results are partially presented in Table 1. 

In this table, #gvars and #lvars give the number of global variables and 
the number of local variables respectively, ^pubs represents the number of pub- 
lic/low variables. N gives the number of bit of each integer variable. As shown 
in Fig. 6, larger N causes increase in consumed time and memory. Fortunately 
however, the secure/insecure judgement made by our method is mostly insensi- 
tive to N, thus we could set N as small as possible to outperform other methods. 
The only matter is to ensure the range of integer (0 ~ 2 N — 1) cover the con- 
stant value assigned to it. The basic checking result Yes reports the program is 
secure, while the answer No, along with the witness path generated as a coun- 
terexample, not only tells the program is insecure, but facilitates our method on 



Algorithm 3: Contracted Self Composition 
Data: V ~~ ~~ " 

Result: V > p V[g] 
begin 

forall the x £ V.gvars \ RT do 

| V[£,'].gvars := V[£'].gvars U {£'{x)}; 
end 

(V > p V[(,']).gvars :— V.gvars U V[£'].gvars; 
(V > p P[l ]).lvars := V.lvars; 
forall the 7 £ CPuain do 

forall the x £ V.lvars^) do 

(V > p V\i']).lvars := (V > p T[£']).lvars U {-yt ^ x}; 

end 

V[^'].startConf := (V.startConf.p,Append(V.startConf.j, 't')); 
(V > p V[£']).8tartConf := P.startConf; 
forall the i £ M ainTrans(V .trans) do 
if t.expr — (p, 7) <-> (p, e) then 

P[£'].irons := P[£'].irons U {(p,7i) ^ (p,7*)| 

(*- re OxeP.siars\flT ^ /\ Xi eV .gvars\RT( X i ~ x i)}> 

else if t.expr = (p, 7} ^ (p, 7'} then 

V[£,'].trans := P[£'].irons U {(p,7i) ^ (p, -y't)| 

{t-rel) xe -p.l} a rs\RT ^ /\x i eV.gvars\B,T( X i ~ x i)Y> 

else /* t.expr = (p, 7) (p, 7', 7"} */ 

P[£'].irons := P[£'].irons U {(p,7i) ^ (p,7',7"i)| 

(*- re !c e7'.s«ors\HT ^ /\xieV.gvars\RT( X i ~ X i)}' 

end 

i.rd := t.rel A A^ePK'i.^arJ^ = ^i); 
end 

(V > p V[£']). .trans := V. trans U V{£'}.trans; 
end 



Algorithm 4: MainTrans (used in Algorithm 3) 

toVisit :— startConf{p,yo) -7o; visited := 0; rJtrans := 0; 
while toVisit 7^ do 

cur := toVisit. head; toVisit := toVisit \ {cur}; 
forall the i £ trans / do 

if t.expr — (p,cur) <^-> (p,"f',j") A -ifindW , visited) then 

I toVisit := toVisit U {7"}; r -trans := r -trans U i; 
if t.expr = (p, cur) c — >- (p, 7'} A -ifindfa' , visited) then 

I toVisit := toVisit U {7'}; r _trans := rJtrans U i; 
if t.expr = (p, cur) <^ (p, e) then 
I rJtrans := rJtrans U i; 

end 

visited := visited U {cur}; 
end 

return rJtrans; 
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reasoning the flow path from certain high variable to low variables. In another 
word, the single counterexample identified by model checker could tell us the 
flow-source variable with security level high. This is the first step to fix the flaw 
of program, and probably the most obvious benefit provided by model checking. 
Consider again the program calling func in Section 1, the snapshot is presented 
in Fig. 7 where N = 1. We can clearly observe the difference of / and It at ob- 
servation point comes from the difference on value of h and ht at the beginning 
of execution. The illegal flow is performed by transition rule from f 4 to f 5. 

Program ttaal, ttaa2 and ttaa3 are respectively programs presented in 
Figure 1, Figure 4 and Figure 9 of [10]. In [10] the authors report a failure 
on verifying ttaa3 secure using BLAST. Here using our method we can verify 
this program secure, hul, hu2 and hu3 model the program exprl.c, expr2.c 
and expr4.c of [12]. In order to explain the benefit from procedural setting, we 
encapsulate the if-branch of hu2 into a procedure and change hu2 to a program 
calling this procedure for sixteen times. The resulting program is hu2_func. 
The evaluation results are illustrated by Fig. 6. Compared with ordinary self- 
composition of hu2, consumed time and memory are greatly reduced by the 
ordinary self-composition of hu2_func. To make clear the effectiveness of the 
derived forms of self-composition, we did ordinary and compact self-composition 
on hu2 (since no procedure exists, the contracted form is not available) and 
all three forms of self-composition on hu2_func. The time reduction by using 
compact form is more notable on hu2 than on hu2_func. This is because hu2 
has more local variables, and the conjunction of relations in R is much shorter 
for compact form than ordinary form. That means each symbolic pushdown rule 
of derived pushdown system corresponds to more explicit pushdown rules and 
smaller BDD. The only one local variable of hu2_f unc could not make this effect 




Fig. 6. Time and Memory Comparison 



obvious. The contracted form could outperform the compact form because the 
number of derived local variables is reduced to half compared with compact 
self-composition and the number of pushdown rules is also reduced. hu3 can be 
verified insecure in two aspects. First, it can leak path information of whether 
branch with condition bio is taken. Here we need to specify the initial value 
of lowi(i = 1,2,..., 20) to be (See hu3 in Table 1). Second, we can reveal 
that lowio leaks highio by specifying the original part and the composed part 
of derived pushdown system take the same path (bj = bti, i = 1,2,..., 20) (See 
lm3* in Table 1). Here the path conditions b; should be global. Without any 
local variable, the ordinary form and compact form of hu3 are of no difference 
and we record experiment results of cither instead of both in Table 1. 

To show the realistic usage of our method, we have verified the standard 
module mocLimap . c of Apache 1.3.23. This program is also verified as an im- 
portant experiment in [12]. In the imap_url function of this program, a possible 
tainted Ref erer url could be returned and passed to menu.* functions and then 
to the arguments of ap_rvputs. ap_rvputs passes these arguments to client 
browser and causes a cross-site scripting (XSS) vulnerability. To check cross- 
site scripting, we need to consider the parameters of ap_rvputs as variables 
with high integrity, while the returned HTTP_REFERER has low integrity. The 
dual verification problem on integrity means to decide the high variables hold 
the following relation ((j-i =h U-2) => ^( n % n al =h M-2))- Since Moped 

can only deal with integer and boolean variables and array of both types, we 
have to first abstract string to integer, and model the string operations using 
binary operations of integers. To ensure that the abstract integer variable could 
be assigned by constant value modeling constant string, N could not be less 
than 4. We have successfully verified this program insecure, and according to 
the experimental results, the efficiency of our method under proper abstraction 
is competitive to other methods [12]. 
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Fig. 7. Snapshot of Counterexample 



5 Discussions 

To the language presented in Section 2.1, we require the out parameter of pro- 
cedure to refer to global variable. Because in symbolic pushdown rules of callee 
procedure, the stack symbols do not contain the stack symbol of caller. We can- 
not express the effect to the local variables of caller directly in one pushdown 
rule, including return action, of callee. This problem comes from the definition 
of transition relation -» of I-p corresponding to pushdown system V . We can 
solve this problem by storing the out value referring to the caller's local variable 
in the common part of caller's rules and callee's rules, that is the global variables 
as control locations. That means we need to add an additional control location 
r for the out value. In P-PR0C of Fig. 4, we need to substitute in procedure 
body S with r instead of 1, and add a rule for the caller to assign value of r to 
its local variable. This additional global variable could also help us to store the 
return value of language whose procedure has side effect. A possible ambiguity 
is the security level of this additional global variable. We could set it high to 
avoid invalid information flow caused by its change. Also we do not consider 
parameters with inout type since an inout parameter can be trivially eliminated 
by one in and one out parameter. 

Model checking based approaches are usually argued against the efficiency 
problem and state explosion. Although the derived forms of self-composition 
we develop could greatly improve the efficiency, the complexity of satisfiability 
for LTL is complete for PSPACE[20] [21]. Also the ordinary partial correctness 
specified by self-composition is undecidable while type-based approaches are 
generally much faster. 



As we have stated in last section, Moped can only deal with boolean and 
integer variables and arrays, and each integer variable should have a finite range 
of ~ 2 N — 1. This makes abstraction necessary for verifying realistic programs. 
So we plan to scale up our approach to more real applications by adapting proper 
approaches on abstraction, possibly using some recently developed tools [22] [23]. 
Because all forms of self-composition are developed on symbolic pushdown sys- 
tem, the influence of abstraction on self-composition should be little. 

When the program has a great many constants, certain information flow will 
be omitted if the initial N is too small. But larger N means increase on time 
and memory consumption, as we can see in Fig. 6. Therefore it is sometimes 
difficult to balance the exactness and the efficiency by choosing proper initial 
value of N. Another restriction of our approach is that with the deterministic 
nature of the model our approach has not scaled to concurrent programs. Our 
future work will adapt our approach to handle concurrency using some formal 
models [24] [25]. 
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Appendix 

Proof of Theorem 1 

We give some preliminary definitions before the detailed proof. We define a mapping 
G:Px(JxI->L from local variables of pushdown system to memory locations of 
current stack in operational semantics. I contains the depth of procedure call from main 
to the procedure which local variable belongs to. If we have I — G(pk,x,i) £ dom(X), 
that means I stands for local variable x of procedure p k , and p k is on the ith position 
of procedure stack. Let i t € I be the top-most procedure of current stack. We claim 
a common constraint to the language semantics that currently executing procedure 
cannot operate on the local variables of other procedures. Thus if I := e (I G dom(X)) 
is executed in calling procedure pk, there must be a {pk,x}, where I = G(pk,x,i t ) and 
the corresponding statement is x := e. 



We inductively prove that for each derivation rule <I>(S, n», rij,p, 0), the transition 
from [it to \ij is operationally sound to the change from (po, Ao) to (p', A') if (po, Ao, S) 4- 

(m',a')- 

1. SKIP 

p,' = po, A' = A . (SKIP) p' = p , T|'(p) = 7?o (p). (P-SKIP) 
V/ G dom(p),p (l) = Po[l] p'(Z) = p'[2] 

Since A' = Ao, V7 £ dom(X') => Z G dom(Ao). If 2 = G(p,x,i t ), \o(l) = ??o(p)[a;], thus 
A'(Z) = r)o(p)[x\. Since r/(p) = r?o(p), we have \/x G r)'(p)[x] = r/o(p)[x]. Thus 
A'(2) = r,'(p)[x}. 

2. UPDATE 

If lo G dom(p).(lo G p). 

p' = Po[Z := u], A' = A . (UPDATE-HEAP) 

p' = p [Zo := e],?/(p) = rjo(p). (P-UPDATE) 

V/ G dom(p) \ {Z },p'(Z) = po(Z),p'[Z] = A> [2], since p (Z) = po[l], then p'(Z) = p'[Z], 
and since p'(lo) = p'[Zo] = v, we have VZ G dom(p) , p' (I) = p'[Z]. 
Since A' = Ao,VZ G dom(X') => I G dom(Ao). If I = G(p, x, it), Xo(l) = Vo{p)[%], thus 
A'(Z) = rjo(p)[x}. Since rj'{p) = r?o(p), we have Va; G r/(p),r]' (p)[x\ = r? (p)[a;]- Thus 
A'(I) = u'(p)[x]. 

If lo G dom(Ao), 3(p, xo),lo = G(p, xo, it), the corresponding statement of pushdown 
system is xo := e. 

p! = po, A' = A [Zo := v]. (UPDATE-STACK) 
p' = po,v'(p) = Vo(p)[xo ■= e]. (P-UPDATE) 

V/ G dom(p) , p! (I) — p(l),p'[l] = po[Z], since po(Z) = Po[l], then p'(l) — p'[l]. 
VZ G dom(X') \ {lo},X'(l) = A (Z), if I = G(p,a;,i t ),Ao(0 = Vo{p)[x] Ai / a*, 
thus we have r/(p)[a;] = f?o(p)[a;], A'(2) = Ao(Z) = r;o(p)[a;] = rj (p) [x]. Also we have 
A'(2o) = rj'(p)[xo] = v. Therefore VZ G dom(X'), if Z = G(p,x,i t ), X'{1) = v'(p)[x]- 

3. SEQ 
/ /VZ G dom(pi),pi(l) = pi[Z]A 

^VZ G dom(Ai), if 3(p,x),l = G(p,x,i t ), then Ai(Z) = r?i(p)[a; 
/VZ G dom(pi),pi(Z) =pi[Z]A 
\ ^VZ G dom(Ai), if 3(p,a;),Z = G(p,x,i t ), then Ai(2) = J?i(p)[x 
/ {Vie dom(p 2 ),p 2 (Z) = P2[Z]A 

^VZ G dom(A 2 ), if 3(p,x),l = G(p,x,it), then A 2 (Z) = f?2(p)[a;] 
"/VZ G dom(p 2 ),p 2 (l) = p 2 [Z]A 
\ ^VZ G dom(A 2 ), if 3(p,a;),Z = G(p,x,i t ), then A' 2 (2) = r, 2 (p)[a:] 
'VZ G dom(p ),po(l) = Po[2]A 

VZ G dom(Ao), if 3(p,x),2 = G(p,x,i t ), then Ao(2) = f?o(p)[a?] 
pi = po A Ai = A A pi = po A r?i(p) = Jjo(p)A (I) => 
'VZ G dom(pi),p'i(2) =p'i[Z]A 

^VZ G dom(X'i), if 3(p,a;),2 = G(p,x,i t ), then Ai(2) = »ji(p)[a;] 
p 2 = p'i A A 2 = Ai A p 2 = pi A r]2{p) = r?i(p)A (III) => 
'VZGdom(p 2 ),p' 2 (Z)=p 2 [Z]A 

^VZ G dom(X' 2 ), if 3(p,a;),2 = G(p,x,i t ), then A' 2 (2) = r, 2 (p)[a;] 
p' = p 2 A A' = A' 2 A p' = p' 2 A »/(p) = V 2 (p)A (IV) =► 
'VZ G dom(p'),p'{l) = p'[Z]A 

^VZ G dom(X), if 3(p,x),2 = G(p,x,i t ), then A'(Z) = r/(p)[z 
CONDITIONAL-BRANCH 

If (po,Ao,e) 4- true, the branch conditions in 7? show that the transition from n, 
to rij is executed by {{{pi){rii,r]i(p))) {{Pi)(nk,Vi(p))) I u { e }} an d the rules 



(I) 



(II) 



A 



(HI) 
(IV) 



generated by $(Si, n k , rij,p, R U {e}). We have p k = p Arj k (p) = Voip), 
VI G dom(po), po(l) = po[/] = Pfc[Z]A 

V/ € dom(\o), if 3{p,x),l = G{p,x,i t ), then A (7) = ?7o(p)[a;] = Vk(p)[x] 
We can inductively get 
(Vie dom(p'),p'(l) = p'[Z]A 

\yi e dom(X'), H3(p,x),l = G(p,x,i t ), then = r)'(p)[x] 
If (fM>, Ao, e) 4- false, the proof is similar. 

5. LOOP 

If (po, Ao, e) 4- false, p! = po, A' = Ao. (WHILE-F) 

From the branch condition in R of (P-LOOP) we can see the transition is exe- 
cuted by pushdown rule {{(pi)(rn, r)i(p))) > {(pi){nj,r)i(p))) \ R U {!e}}. Thus 
p' = Po,v'{p) = Vo{p)- 
VI G dom(po), p-o(l) = po[l] => p'{l) = p'[l] 

Since A' = Ao,V7 G dom(X') => I G dom(Ao). If I = G(p, x,i t ), \o(l) = j)o(p)[a:], 
thus X'(l) — rio(p)[x]. Since r)'(p) — rjo(p), then Vx G r){p), r]'{p) [x] = rio(p)[x]. Thus 
\'(l) = r,'(p)[x]. 

If (po, Ao, e) 4- true, we need to prove the execution of pushdown system before the 
next time evaluation of e is sound to operational semantics. 
p q = po,V q (p) = Wo (p) ■ (P-LOOP) 
V/ G dom(p ), po(l) = Po[l] = p q [l]/\ 

VI G dom(\ ), if 3(p,x),l = G(p,x,i t ), then \ (l) = Wo(p)[x] = rj q (p)[x] 
VI G dom(p'),p'(l) = p'ilQA 

VI G dom(X), if 3(p,x),l = G(p,x,i t ), then A'(7) = ?7-(p)[x] 



(I) 
(II) 



6. BINDVAR 

V/ G dom(pa), p Q (l) = po[l]A 

VI G dom(Ao), if 3(p,x),l — G(p,x,i t ), then Ao(Z) = t?o(p)[:e] 
/ (VI e dom(ni),m(l) = pi[l]A \ 
VI G dom(Xi), if 3(p, x), I = G(p, x,it), then Ai(Z) = iji (p)[x] 
(VI G dom(p 2 ), p 2 {l) = p2[l]A 
\ \Vl e dom(\2), 3{p,x), I = G(p,x, i t ), then \ 2 (l) = r]2(p)[x] J ) 
pi = po, Ai = A W [l ■= v] (l 4- dom(po) Al dom(\ )). (BINDVAR) 
pi = po,m(p) = Wo(p)[xo ■- e]. (P-BINDVAR) 

Therefore, VI G dom(p) , pi (I) = pi [I] . (Ill) 
V/ G dom(Ai) \ {/o}, I G dom(\o) A \o(l) = Ai(Z), we have, if 3(p,x),l — G(p,x,i t ), 
then Ao(0 = Wo(p)[x] A x x , thus rji(p)[x] = rjo{p)[x]. 

Therefore VI G dom(Ai) \ {lo}, if 3{p,x),l — G(p,x,i t ), Xi(l) = r/i(p)[x]. And since 
Ai(Zo) = Vi(p)I x o] = v, we have VI G dom(Xi), if 3(p, x), I = G(p, x,i t ), then Ai(Z) = 
Vi(p)[x\. ' (IV) 

From (III) (IV) (II) we have 
(VI G dom(p 2 ), p 2 {l) = P2 [i] A 

yV7 G dom(A2), if 3(p,x),l = G(p,x,i t ), then A2(Z) = f?2(p)[a;] 

= p 2 , A' = A 2 \ {/o}- (BINDVAR) p' = p 2 , j/(p) = m{p)- (P-BINDVAR) 
V/ G dom{p!),p!{l) = p'[l]A 

VI G dom(X'), if 3{p,x),l = G(p,x,i t ), then X'(l) = t/(p)[x]. 



Therefore, 



7. PROC 

'V/ G dom(po), p (l) = po[/]A 

V7 G dom(Ao), if 3{p,x),l = G(p,x,i t ), then Ao(Z) = rj (p)[x] 



(I) 



/ /VZ G dom(pi),pi(l) = pi[Z]A \ \ 

^VZ G dom(Xi), if 3{p',x),l = G{p',x,i t ), then Ai(Z) = r?i(p')N / / TT \ 
/VZ G dom(p 2 ),/x 2 (Z) = P2[Z]A \ 1 j 

\ ^VZ edorn(\ 2 ), if 3(p', x), l = G(p', x, i t ), then A 2 (Z) = f? 2 (p')M / / 
pi = no, Ai = A thl [Z' := v] (Z' ^ dom(po) A Z' £ dom(A )). (CALL) 
pi — po- Therefore VZ G dom(pi), pi(l) = pi[Z]. (Ill) 
VZ G dom(Ai) \{Z'},Z G dom(A ), -.3(p', a:)(Z = G(p', a, i*)). 
Z' = G(p',x u i t ) A Ar(Z') = vi(p')[xi] = v. 

Therefore, VZ G dom(Xi),if 3{p',x),l = G(p' ,x, it), then Ai(Z) = r/i(p')[:r]. (IV) 
From (III) (IV) (II) we have 

/VZ G dom{p 2 ),p 2 {l) = p 2 [Z]A \ 
^VZ G dom(A 2 ), if 3<p',a:),Z = G(p',a:,i t ), then A 2 (Z) = mip'M J 
p! = A' = A 2 \ {/'}. (CALL) p' = p 2 ,7?'(p) = Voip)- (P-PROC) 
Therefore, VZ G dom(p) , p (I) = p'[Z]. 

Procedure p is on top of procedure stack, so dom{ Ao) = dora(A'). Since procedure 
p' cannot modify local variables in A', we have VZ G dom(X'), A'(Z) = Ao(Z). Since 
f/(p) = r]o{p), we have VZ G dom(X'), if 3(p,x),l — G(p,x,it), then A'(Z) = »/(p)[a;]. 



